Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  IP softphone over ssg140

    Posted 12-10-2008 03:56

    hi,

     

    recently i configured bidirectional policy based vpn with xauth on ssg140 everything is ok but am trying to make my nortel ip softphone work am getting this msg on the software nat error itg3053 !

     

    am wondering if any come across a simillar issue ?

     

    my ssg firmware is 6.0.0r5.0

    and my vpn client is 10.8.3 (build 6 )

     

    thx



  • 2.  RE: IP softphone over ssg140

    Posted 12-10-2008 05:20

    The softphone is probably using SIP. You should check the specific ports it is using.

     

    I suppose you could also benifit from a newer ScreenOS. Remember that 6.1 is the recommended version at this moment.

    SIP and IP Telephony is a specific field that has active development.



  • 3.  RE: IP softphone over ssg140
    Best Answer

    Posted 12-10-2008 14:34

    Hi there

     

    You will really need to check that you have configured all the appropriate ports on the vpn policy. I guess a good method will be to run Wireshark on the PC to check which ports you are using for the VOIP traffic, then you can setup the policy correctly.

     

    Do remember that for VOIP, you will usually have 2 sessions, 1 for the control session and 1 for the media session. The media session usually uses dynamic ports. For most clients there is a range of ports so if you have that list you can specify that in the vpn policy.

     

     



  • 4.  RE: IP softphone over ssg140

    Posted 12-10-2008 22:15

    ric0, WL

     

    thx both of u  i`ll try ur sugesstions ..then i`ll give the feedback

     

     

     



  • 5.  RE: IP softphone over ssg140

    Posted 12-10-2008 23:36

    i run wireshark after establishing the vpn and the application and i only found this when i captured only UDP

     

    user datagram protocol, src port: ipsec-nat-t 4500, dst port: ipsec-nat-t 4500

    nat-keepalive packet

     

    i tried to create the port mentioned above and added to the policy but still am getting the same error ....

     

     



  • 6.  RE: IP softphone over ssg140

    Posted 12-11-2008 00:06

    Can you clarify what you are trying to do? What is the setup and where is the softphone located?

     

    Can you get some more detail on the error on the Softphone?

     

    It seems that the softphone has a problem registering itself to the SIP server.



  • 7.  RE: IP softphone over ssg140

    Posted 12-11-2008 01:08

    currently the softphone is installed on my pc and am trying to run the softphone after establishing the vpn the current setup is that i have created a bidi-policy based vpn with xauthentication enabled once i established the vpn session i can communicate with all the services on the other side except the softphon it gives me this error NAT ERROR! ITG 3053.

     

    on thing i noticed in the vpn policy when i enable source translation the software gives me the above error and when i deselect it it doesnt connect at all .

     

    below is the vpn configuration 

     

    peer identity list:
      0: NOT IAS
    IAS ID 843bafc
    (0f) group <4> user <-1>
        Phase 1 SA:
        Phase 2 SA: 2f(inactive) 30(inactive)
    session timeout: 0


    Preferred Local Cert
    --------------------

    local cert not configured.


    Preferred Peer Cert
    -------------------

    Subject DN
    ----------
    OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US

    Peer Cert Type
    --------------
    Preferred cert type: X509-SIG

    Heartbeat Hello: 0(sec), Threshold: 5(times), Reconnect: 0(sec)

    ----------- XAUTH Config -------------
    XAUTH Server enabled. Authentication: Use Default Config
    allow any xauth user



  • 8.  RE: IP softphone over ssg140

    Posted 12-11-2008 01:14
    SG140-> get ike gateway Nortel
     Id  Name            Gateway Address Gateway ID      Mode Proposals
    ---- --------------- --------------- --------------- ---- ---------
       2 Nortel          Group                           Aggr pre-g2-3des-sha.XAUTH
    Preshared Key: <***> Shared
    use count<1>, status Enabled
    user id<-1>, dial up id<4>
    Flags 0x00000000
    IP version 4
    slot number<0>.

    outgoing interface:
    interface name = ethernet0/2, ip = 195.39.185.8, vsys = Root.
    local-id empty.
    peer-id empty.
    peer-container-id empty.
    IPsec NAT-Traversal: disabled.
      local ike udp port 500.
      peer ike udp port 500.
    vpn list: Nortel
    peer identity list:
      0: NOT IAS
    IAS ID 843bafc
    (0f) group <4> user <-1>
        Phase 1 SA:
        Phase 2 SA: 2f(inactive) 30(inactive)
    session timeout: 0


    Preferred Local Cert
    --------------------

    local cert not configured.


    Preferred Peer Cert
    -------------------

    Subject DN
    ----------
    OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US

    Peer Cert Type
    --------------
    Preferred cert type: X509-SIG

    Heartbeat Hello: 0(sec), Threshold: 5(times), Reconnect: 0(sec)

    ----------- XAUTH Config -------------
    XAUTH Server enabled. Authentication: Use Default Config
    allow any xauth user


  • 9.  RE: IP softphone over ssg140

    Posted 12-11-2008 05:25

    I notice that you have "IPsec NAT-Traversal: disabled". I think you should enable that.

     

    Where is the SIP server for the IP Softphone located? Is that on the remote end of the tunnel?



  • 10.  RE: IP softphone over ssg140

    Posted 12-11-2008 05:30

    i`ll try enabling the nat-traversal

     

    the SIP ip is 10.0.0.82